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Introduction. 

In this expository paper we describe four primality tests. The first test is very efficient, 
but is only capable of proving that a given number is either composite or 'very probably' 
prime. The second test is a deterministic polynomial time algorithm to prove that a given 
numer is either prime or composite. The third and fourth primality tests are at present 
most widely used in practice. Both tests are capable of proving that a given number is 
prime or composite, but neither algorithm is deterministic. The third algorithm exploits 
the arithmetic of cyclotomic fields. Its running time is almost, but not quite polynomial 
time. The fourth algorithm exploits elliptic curves. Its running time is difficult to estimate, 
but it behaves well in practice. 

In section 1 we discuss the Miller-Rabin test. This is one of the most efficient proba- 
bilistic primality tests. Strictly speaking, the Miller-Rabin test is not a primality test but 
rather a 'compositeness test', since it does not prove the primality of a number. Instead, 
if n is not prime, the algorithm proves this in all likelihood very quickly. On the other 
hand, if n happens to be prime, the algorithm merely provides strong evidence for its 
primality. Under the assumption of the Generalized Riemann Hypothesis one can turn the 
Miller-Rabin algorithm into a deterministic polynomial time primality test. This idea, due 
to G. Miller, is also explained. 

In section 2 we describe the deterministic polynomial time primality test [3] that was 
proposed by M. Agrawal, N. Kayal and N. Saxena in 2002. At the moment the present 
paper was written, this new test, or rather a more efficient probabilistic version of it, had 
not yet been widely implemented. In practice, therefore, for proving the primality of a 
given integer, one still relies on older tests that are either not provably polynomial time 
or not deterministic. In the remaining two sections we present the two most widely used 
such tests. 

In section 3 we discuss the cyclotomic primality test. This test is deterministic and 
is actually capable of proving that a given integer n is either prime or composite. It does 
not run in polynomial time, but very nearly so. We describe a practical non-deterministic 
version of the algorithm. Finally in section 4, we describe the elliptic curve primality 
test. This algorithm also provides a proof of the primality or compositeness of a given 
integer n. Its running time is hard to analyze, but in practice the algorithm seems to run 
in polynomial time. It is not deterministic. The two 'practical' tests described in sections 3 
and 4 have been implemented and fine tuned. Using either of them it is now possible to 
routinely prove the primality of numbers that have several thousands of decimal digits [17, 
19]. 
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1. A probabilistic test. 

In this section we present a practical and efficient probabilistic primality test. Given a 
composite integer n > 1, this algorithm proves with high probability very quickly that 
n is not prime. On the other hand, if n passes the test, it is merely likely to be prime. 
The algorithm consists of repeating one simple step, a Miller- Rabin test, several times with 
different random initializations. The probability that a composite number is not recognized 
as such by the algorithm, can be made arbitrarily small by repeating the main step a 
number of times. The algorithm was first proposed by M. Artjuhov [4] in 1966. In 1976 
M. Rabin proposed the probabilistic version [20]. Under assumption of the Generalized 
Rieniann Hypothesis (GRH) one can actually prove that n is prime by applying the test 
sufficiently often. This leads to G. Miller's conditional algorithm [18]. Under assumption 
of GRH it runs in polynomial time. Our presentation follows the presentation of the 
algorithms in the excellent book by R. Crandall and C. Pomerance [8]. 
The following theorem is the key ingredient. 

Theorem 1.1. Let n > 9 be an odd positive composite integer. We write n — 1 = 2^m 
for some exponent k > 1 and some odd integer m. Let 

B = {x& (Z/nZ)* : a;"^ = 1 or a;"^^* ^ _i f^j. g^^g < z < /e}. 
Then we have 

*B ^ 1 

(f{n) ~ A 

Here (p{n) = #(Z/nZ)* denotes Euler's cp- function. 

Proof. Let 2' denote the largest power of 2 that has the property that it divides p — 1 for 
every prime p divisor of n. Then the set B is contained in 

B' = {xe {Z/nZy : x"^^''' = ±1}. 

Indeed, clearly any x G (Z/nZ)* satisfying = 1 is contained in B' . On the other hand, 
if x"^^ = —1 for some < i < /c, we have x"^^ = —1 (mod p) for every prime p dividing n. 
It follows that for every p, the exact power of 2 dividing the order of x modulo p, is equal 
to 2*+^. In particular, 2*"'"-^ divides p — 1 for every prime divisor p of n. Therefore we have 
/ > z + 1. So we can write that x"^^ = (—1)^ , which is —1 or +1 depending on 
whether l = i + lorl>i + l. It follows that B C B' . 

By the Chinese Remainder Theorem, the number of elements x G (Z/nZ)* for which 
we have equal to the product over p of the number of solutions to the 

equation X'^'^ = 1 modulo p^-p . Here p runs over the prime divisors of n and p°'p is the 
exact power of p dividing n. Since each of the groups (Z/p"f Z)* is cyclic, the number of 
solutions modulo is given by gcd((p — l)p"p~^, m2^~^) = gcd(p — 1, m)2^~^. The last 
equality follows from the fact that p does not divide m. Therefore we have 

#{a; G (Z/nZ)* : x"^^''' = 1} = gcd(p - 1, m)2^-\ 

p\n 
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Similarly, the number of solutions of the equation X"^^ = 1 modulo p"*" is equal to 
gcd(p — l,m)2^, which is twice the number of solutions of X"^^ = 1 modulo It 
follows that the number of solutions of the equation X"^^ = — 1 modulo p°'p is also equal 
to gcd(p — 1, m)2^~^ . Therefore we have 



#5' = 2j]gcd(p-l,m)2^-i, 



p\n 



and hence 



gcd(p — l,m)2^ 



(fin) 



p\n 

exceeds \. We want to derive a contradiction. Since 





1 



< 2n 



gcd(p — 1, m)2' 



(*) 
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p\n 



(p — l)p°'P 



We draw a number of conclusions from this inequality. First we note that gcd(p — 1, m)2'~^ 
divides (p — l)/2 so that the right hand side of (*) is at most 2^~* where t is the number 
of different primes dividing n. It follows that t <2. 

Suppose that t = 2, so that n has precisely two distinct prime divisors. If one of them, 
say p, has the property that divides n so that ttp > 2, then the right hand side of (*) is 
at most 2^~^/3 = 1/6. Contradiction. It follows that all exponents are equal to 1, so 
that n = pq for two distinct primes p and q. The inequality (*) now becomes 



Since the factors on the left hand side of this inequality are positive integers, they are both 
equal to 1. This implies that p — l= gcd(p — 1, m)2^ and q — l = gcd{q — 1, m)2'. It follows 
that the exact power of 2 dividing p — 1 as well as the exact power of 2 dividing q — 1 are 
equal to 2' and that the odd parts of p — 1 and q — 1 divide m. Considering the relation 
pq = 1 + 2^m modulo the odd part of p — 1, we see that the odd part of p — 1 divides the 
odd part of g — 1. By symmetry, the odd parts of p — 1 and q — 1 are therefore equal. This 
implies p — 1 = q — 1 and contradicts the fact that p ^ q. Therefore we have t = 1 and 
hence n — p"' for some odd prime p and exponent a >2. The inequality (*) now says that 
pu-i ^ 4^ gQ ^j^g^^ p = 3 and a = 2, contradicting the hypothesis that n > 9. This proves 
the Theorem. 

When a random x G (Z/nZ)* is checked to be contained in the set B of Theorem 1.1, 
we say that 'n passes a Miller- Rabin test'. Checking that x E B involves raising x G Z/nZ 
to an exponent that is no more than n. Using the binary expansion of the exponent, this 
takes no more that 0(log n) multiplications in Z/nZ. Therefore a single exponentiation 



p — 1 <? — 1 



< 2. 



gcd(p — 1, m)2' gcd{q — 1, m)2' 
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involves 0((log nY'^^) elementary operations or bit operations. Here is a constant with 
the property that the multiplication algorithm in Z/nZ takes no more than 0((log n)^) 
elementary operations. We have that n = 2 when we use the usual multiplication algorithm, 
while one can take /x = 1 + £ for any £ > by employing fast multiplication techniques. 

By Theorem 1.1 the probability that a composite number n passes a single Miller- 
Rabin test, is at most 25%. Therefore, the probability that n passes log n such tests 
is smaller than 1/n. The probability that a large composite n passes (log n)^ tests is 
astronomically small: less than n~ . Since for most composite n the probability that n 
passes a Miller- Rabin test is much smaller than 1/4, one is in practice already convinced 
of the primality of n, when n successfully passes a handful of Miller-Rabin tests. This is 
enough for most commercial applications. 

Under assumption of the Generalized Riemann Hypothesis (GRH) for quadratic Diri- 
chlet characters, the Miller- Rabin test can be transformed into a deterministic polynomial 
time primality test. This result goes back to G. Miller [18]. 

Theorem 1.2. (GRH) Let n be an odd positive composite integer. Let n — 1 — 2^m for 
some exponent k > 1 and some odd integer m. If for all integers x between 1 and 2 (log n)^ 
one has 

x'^ = 1 (mod n) or x^'"* = —1 (mod n) for some < i < k, 
then n is a prime number. 

Proof. We first show that n is squarefree. See also [12]. Suppose that p is a prime for 
which divides n. A special case of a result of Konyagin and Pomerance [10, (1.45)] on 
the distribution of smooth numbers implies that for every odd integer r > 5 one has that 

#{a e Z : 1 < a < r and a is product of primes < (log r)2} > V^. 

We apply this with r = p^. It follows that the subgroup if of (Z/p^Z)* that is generated by 
the natural numbers x < (log n)^ has order at least p. On the other hand, the hypothesis 
of the theorem implies that every x E H, being a product of numbers a that satisfy 
^n-i ^ ^ (mod p^), satisfies x"'~^ = 1 (mod p'^). Since the order of the group (Z/p^Z)* is 
p{p — l) and p does not divide n — 1, we see that any x E H must satisfy x'^~^ = 1 (mod p^). 
But this is impossible, because the subgroup of (Z/p^Z)* that consists of elements having 
this property, has order p — 1. 

Therefore, if n is composite, it is divisible by two odd distinct primes p and q. Let x 
denote the quadratic character of conductor p. By a result of E. Bach [6], proven under 
assumption of the GRH, there exists a natural number x < 2 (log p)^ < 2 (log n)^ for 
which x(x) ^ 1. Since the condition of the theorem implies that we have gcd(a;,n) = 1, 
we must have x(^) = ~1- Writing p — 1 — 2^/i, for some exponent / > 1 and some odd 
integer fi, we have that = x(^) — ~1 (mod p). This implies that —1 is contained in 

the subgroup of (Z/pZ)* generated by x. Since the 2-parts of the subgroups of (Z/pZ)* 
generated by x'^ and by x are the same, we have a;™ ^ 1 (mod p) and hence a;"^ ^ 
1 (mod n). Therefore the hypothesis of the theorem implies that a;^*™' = — 1 (mod n) for 
some < z < A;. Since for this value of i we also have x^'"^ = — 1 (mod p), necessarily the 
equality i = l — l holds. It follows that we have a;^ = — 1 (mod q), so that the order of 
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x'^ (mod q) is equal to 2'. Writing g — 1 = 2' //' for some exponent I' > 1 and some odd 
integer fi' , we have therefore I <l' . 

Repeating the argument, but switching the roles of p and q, we conclude that / = V . 
Let x' denote the quadratic character of conductor q. A second application of Bach's 
theorem, this time to the nora-tn?;za/ character xx' i provides us with a natural number y < 
2(log n)^ for which xx'{y) 1 ^^^d hence, say, x{y) = ~1 while x'iv) = 1- The arguments 
given above, but this time applied to y, show that we cannot have y'^ = —1 (mod n), 

so that necessarily = — 1 (mod n) for some < i < k. Moreover, the exponent i 

i' —1 

is equal to / — 1 = T — 1. It follows that y'^ = — 1 (mod q). This implies that the 
element y"^ G (Z/gZ)* has order 2^ . Since the subgroups of (Z/gZ)* generated by y"^ 

and are equal, the order of y^^ e (Z/gZ)* is also 2' . This contradicts the fact that 

i' —1 / 

1 = X'{y) =y^ ^ (mod g). 

We conclude that n is prime and the result follows. 

It is clear how to apply Theorem 1.2 and obtain a test that proves that n is prime under 
condition of GRH: given an odd integer n > 1, we simply test the condition of Theorem 1.2 
for all a e Z satisfying 1 < a < 2 (log n)^. If n passes all these tests and GRH holds, then n 
is prime. Each test involves an exponentiation in the ring Z/nZ. Since the exponent is less 
than n, this can be done using only 0((log n)^~^^) elementary operations. Therefore this 
is a polynomial time primality test. Testing n takes 0((log n)^^'^) elementary operations. 
As before, we have jjL — 2 when we use the usual multiplication algorithm, while we can 
take jJL = 1 + e for any e > by employing fast multiplication techniques. 

2. A deterministic polynomial time primality test. 

In the summer of 2002 the three Indian computer scientists M. Agrawal, N. Kayal and 
N. Saxena presented a deterministic polynomial time primality test. We describe and 
analyze this extraordinary result in this section. 

For any prime number r we let ^•r(-^) = X'^~^ + . . . + X + 1 denote the r-th cyclotomic 
polynomial. Let be a zero of ^r{X) and let 1'[Cr\ denote the ring generated by C,r over Z. 
For any n G Z we write Z[Cr]/(n) for the residue ring Z[Cr] modulo the ideal (n) generated 
by n. For n 7^ 0, this is a finite ring. 

Theorem 2.1. Let n be an odd positive integer and let r be a prime number. Suppose 

that 

(i) n is not divisible by any of the primes < r; 

(a) the order of n (mod r) is at least (log n/ log 2)^; 
(Hi) for every < j < r we have (C^. + j)"" = Cr + j in Z[Cj.]/ (n). 
Then n is a prime power. 

Proof. It follows from condition (ii) that we have n ^ 1 (mod r). Therefore there ex- 
ists a prime divisor p of n that is not congruent to 1 (mod r). Let A denote the Fp- 
algebra Z[Cj.]/(p). It is a quotient of the ring Z[Cj.]/(n). For k E Z coprime to r we let ak 
denote the ring automorphism of A determined by crk{Cr) = Cr- The map (Z/rZ)* 1— > A 
given by A; I— > CTfe is a well defined isomorphism. We single out two special elements of A. 
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One is the Frobenius automorphism ap and the other is cr„. Let F denote the subgroup 

of A that is generated by cXp and a^. 

Next we consider the subgroup G of elements of the multiplicative group A* that are 
annihilated by the endomorphism Un — n G Z[A]. In other words, we put 

G = {aeA*: an{a) = a^}. 

Pick a maximal ideal m of A and put k = A/m. Then /c is a finite extension of Fp, 
generated by a primitive r-th root of unity. Let H G k* he the image of G under the 
natural map tt : A — )• k. The group H is cyclic. Its order is denoted by s. We have the 
following commutative diagram. 

G C A* 

i TT J, TT 

H c k* 

Since A is commutative, it acts on G. Since cr^ and Up act on G by raising to the power n 
and p respectively, every am G T acts by raising e G to a certain power Cm that is prime 
to #G. The powers Cm are well determined modulo the exponent exp(G) of G. Therefore 
the map F — > (Z/exp(G)Z)*, given by cx^ i— > e^, is a well defined group homomorphism. 
Since H is a, cyclic quotient of G, its order s divides the exponent of G and the map 
Cm ^ e-m induces a homomorphism 

F — > {z/szy. 

If m = p^n^ (mod r), then it maps am G F to e^. = p^n^ (mod s). 

It is instructive to see what all this boils down to when n is prime. Then we have 
n = p and cr„ is equal to the Frobenius automorphism ap. The group G is all of A* so 
that H is equal to k*. Writing / for the order of p modulo r, the group F = (ap) has 
order / while the groups H — k* and its automorphism group Au.t{H) are much larger. 
Indeed, H has order s = p'^ — 1 = n^^ — 1 and Aut(if) = (Z/sZ)* is of comparable size 

Under the conditions of the theorem, but without assuming that n is prime, something 
similar can be shown to be true. 

Claim. We have that 

Using this inequality, we complete the proof of the theorem. Consider the homomorphism 

F — > (Z/sZ)* 

constructed above. We first apply the box principle in the small group F and then obtain 
a relation in Z from a relation in (Z/sZ)* using the fact that the latter group is very large. 
Let q = n/p. We consider the products apa^^ e F for < j < [a/t^F] . Since we have 

(1 + [V#rj )^ > #F, there are two pairs ^ {i',j') for which apa^^ and apa^^' are the 
same element in F. It follows that their images in the group (Z/sZ)* are the same as well. 
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Since CTq is mapped to q (mod s), this means that p^q^ = p^' q^' (mod s). The integer p^q^ 

does not exceed n™*^^*'-'^ < nl-^^^] < s. The same holds for q'-' . We conclude that 
p^q^ = q^ in Z! Since (z, 7^ it follows that n is a power of p. 

This proves the theorem. 

Proof of the claim. We first estimate s = #i? in terms of #G. Then we show that G 
is large. 

The first bound we show is 

S>#GV[A:r]_ 

Let C denote a set of coset representatives of F in A and consider the homomorphism 

given by mapping a G G to the vector (a"i(a) (mod m))^^^- 

This map is injective. Indeed, if a e G has the property that ai{a) = 1 for some i, then 
we also have ain{a) = Ci(a"') = (Ti(a)" = 1 and similarly aip{a) = 1. In other words, we 
have a{a) = 1 for all elements cr in the coset of F containing a^. Therefore, if a G G has the 
property that ai{a) = 1 for all i & C, then automatically also ai{a) = 1 for all i G (Z/rZ)*. 
It follows that a"i(a — 1) = for all i G (Z/rZ)*. Writing the element a — 1 as /(Cr) for 
some polynomial f{X) G Fp[X], this implies that /(C) = for all i G (Z/rZ)*. It follows 
that the cyclotomic polynomial $r(-^) divides f{X) in Fp[X] and hence that a — 1 = 0, 
as required. 

Since for every i E C, the image of the map G — > k* given by a 1-^ Ciia) (mod m) is 
equal to if, the injectivity of the homomorphism implies that < s^'^'^'^ as required. 

The second estimate is 

#G > 2^-^ (**) 

Since we have p ^ 1 (mod r), the irreducible factors of ^r{X) — {X'^ — 1)/{X — 1) in the 
ring Fp[X] have degree at least 2 and hence cannot divide any polynomial of degree 1. 
Therefore the elements + j for < j < r — 1 are not contained in any maximal ideal 
of the ring A. It follows that they are units of A. By condition (in), for each subset 
J C {0, 1, . . . , r — 2} the element 

n(c+i) 

is contained in G. 

All these elements are distinct. Indeed, since the degree of the cyclotomic polynomial 
$r is r — 1, the only two elements that could be equal are the ones corresponding to 
the extreme cases J = and to J = {0,1, ...,r — 2}. This can only happen when 
YTjZoi^ +j) - 1 is divisible by <^r{X) in the ring Fp[X]. Since both polynomials have 
the same degree, we then necessarily have 11^=0 ("^ + j) ^ 1 = ^r{X). Inspection of the 
constant terms shows that p — 2. But this is impossible, because n is odd. 

Since there are 2'^~^ subsets J C {0, 1, . . . , r — 2}, we conclude that #G > 2*""^. as 
required. 
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Combining the inequalities (*) and (**) we find that 

Here we used the inequahty #r > (logn/ log 2)^. It follows from the fact that the order of 
(Tn e r is larger than (logn/ log 2)^. Indeed, this order is equal to the order of n modulo r, 
which by condition (ii) is larger than (logn/ log 2)^. 
This proves the claim. 

This theorem leads to the following primality test. 

Algorithm 2.2. Let n > 1 be a given odd integer. 

(i) First check that n is not a proper power of an integer. 

(ii) By successively trying r = 2,3, . . ., determine the smallest prime r not dividing n nor 
any of the numbers n* — 1 for <i < (logn/ log 2)^. 

(Hi) ForO<j<r-l check that (Cr + jT = C? + J in the ring Z[Cr]/(n). 

If the number n does not pass the tests, it is composite. If it passes them, it is a prime. 

Proof of correctness. If n is prime, it passes the tests by Fermat's little theorem. 
Conversely, suppose that n passes the tests. We check the conditions of Theorem 2.1. By 
definition of r, the number n has no prime divisors < r. Since r does not divide any of 
the n* — 1 for 1 < i < (logn/ log 2)^, the order of n modulo r exceeds (logn/ log 2)^. This 
shows that the second condition of Theorem 2.1 is satisfied. Since test (Hi) has been passed 
successfully, the third condition is satisfied. We deduce that n is a prime power. Since n 
passed the first test, it is therefore prime. 

Running time analysis. The first test is performed by checking that n^/"^ ^ Z for all 
integers m between 2 and logn/ log 2. This can be done in time 0((logn)^) by computing 
sufficiently accurate approximations to n^/™ G R. The second test does not take more than 
r times 0((logn)^) multiplications with modulus < r. This takes at most 0(r(logr logn)^) 
bit operations. The third test takes r times O(logn) multiplications in the ring Z[Cj.]/(n). 
The latter ring is isomorphic to Z[X]/($r(X), n). If the multiplication algorithm that we 
use to multiply two elements of bit size t takes no more than 0{t^^) elementary operations, 
then this adds up to 0((r logn)^"*"^) elementary operations. Since /i > 1 and since r 
exceeds the order of n modulo r, we have r > (logn/ log 2)^. Therefore the third test is 
the dominating part of the algorithm. 

We estimate how small we can take r. By definition of r, the product n flil^* ~ 1) is 
divisible by all primes I < r. Here the product runs over i < (logn/ log 2)2. So 

^logZ < log n + logn ^ i = 0((logn)^). 

A weak and easily provable form of the prime number theorem says that there exists a 
constant c > 0, so that for every r we have X^^r^^S^ — ^'^^ Therefore we have r = 
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0((logn)^). It follows that the algorithm takes 0((logn)^'^-'^"'"'*^) elementary operations. 
When the usual multiplication algorithm is used, we have that ^ = 2 and this leads to an 
algorithm that takes at most 0((logn)^^) elementary operations . It takes 0((logn)^^"'"^) 
elementary operations when fast multiplication techniques are employed. 

Remark 1. Since the upper bound -\/#r is optimal for the box principle, the inequality 

2^^" > n^/^ used above implies that #r = r — 1 needs to be at least (log n/ log 2)^. 
This we know to be the case because the order of f7„ e F, which is equal to the order of 
n G (Z/rZ)*, exceeds (logn/ log 2)^. The argument involving the prime number theorem 
given above implies then that we cannot expect to be able to prove that the order of 
magnitude of the prime r is smaller than 0((logn)^). Therefore this algorithm cannot be 
expected to be proved to run faster than 0((logn)^(^"'''^)). On the other hand, in practice 
one easily finds a suitable prime of the smallest possible size 0((logn)^. Therefore the 
practical running time of the algorithm is 0((logn)'^*-^"'"'^-'). 

Remark 2. One may replace the ring Z[Cr]/(n) = (Z/nZ)[X]/($j.(^)) by any Galois 
extension of Z/nZ of the form (Z/nZ)[X]/(/(X)) that admits an automorphism a with 
the properties that 

- a{X) = X^- 

- a has order at least (log n/ log 2)^. 

This was pointed out by Hendrik Lenstra shortly after the algorithm described above 
came out. The running time of the resulting modified algorithm is then 0{{d\ognY~^^) 
where d is the degree of the polynomial f{X). Since the order of a is at most d, one 
has that d > (log n/ log 2)^ and one cannot obtain an algorithm that runs faster than 
0((logn)"^*^^"'"^-*). Since then Lenstra and Pomerance [16] showed that for every £ > one 
can construct suitable rings with d = 0((logn)^"'"'^). This leads to a primality test that 
runs in time 0((logn)*^^'''^^(-'^"''^)). This is essentially the same as the practical running 
time mentioned above. 

3. The cyclotomic primality test. 

In this section we describe the cyclotomic primality test. This algorithm was proposed 
in 1981 by L. Adleman, C. Pomerance and R. Rumely [1]. It is one of the most powerful 
practical tests available today [17]. Our exposition follows H. Lenstra's Bourbaki lec- 
ture [13]. See also [7, section 9.1] and [22, section 16.1]. The actual computations involve 
Jacobi sums, but the basic idea of the algorithm is best explained in terms of Gaussian 
sums. See the books by L. Washington [22] and S. Lang [11] for a more systematic discus- 
sion of the basic properties of Gaussian sums and Jacobi sums. For any positive integer r, 
we denote the subgroup of r-th roots of unity of Q by /i^,. 

Definition. Let q be a prime and let r be a positive integer prime to q. Let % : (Z/ gZ) * — * 
jjir be a character and let (q be a primitive q-th root of unity. Then we dehne the Gaussian 
sum t(x) by 

x€{Z/qZ)* 
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The Gaussian sum t(x) is an algebraic integer, contained in the cyclotomic field Q(Cr, Cq)- 
We have the following diagram of fields 

Q(Cr,Cg) 

G / \ A 

Q(C,) Q(C) 
\ / 
Q 

The Galois group of Q(Cr) Cq) over Q is isomorphic to A x G. Here we have A = {cTj : 
i e (Z/rZ)*}, where cTj e A is the automorphism that acts trivially on g-th roots of unity, 
while its action of r-th roots of unity is given by (7i{C,r) = C- The map (Z/rZ)* — > A 
given by i I— > (Ji is an isomorphism of groups. Similarly, we have G = {pj : j G (Z/gZ)*} 
where pj e A is the automorphism given by Pj(Cr) = Cr and Pj{Cq) — Cq- The map 
(Z/qZ)* — > G given by j i— > pj is an isomorphism of groups. We write the actions of 
the group rings Z[A] and Z[G] on the multiplicative group Q(Cj.,Cq)* using exponential 
notation. 

One easily checks the following relations. 

r{xr-r{x'), for z e (Z/rZ)*. 

and 

rixY' = Xijr'rix). for j G (Z/gZ)*. 

We write t(x) for the complex conjugate of t(x). For x ^ 1 one has 

r{x)T{x) = Q, 

showing that t(x) is an algebraic integer that is only divisible by primes that lie over q. 
For our purposes the key property of the Gaussian sums is the following. 

Proposition 3.1. Let q be a prime, let r be a positive integer prime to q. Let x • 
(Z/qZ)* — ^ pr be a character and let t(x) be the corresponding Gaussian sum. Then, 
for every prime number p not dividing qr we have 

rixr^-" = X^ip), in the ring Z[C„ Q/ip)- 

Proof. We have that t{xY = — ^xeiz/qZ)* Cq^X^i^) modulo the ideal pZ[(q, C^]. Multi- 
plying by x^(p) and replacing the variable x hj p~^x, we get that 

x'ipMxT ^ -X'ip) E Qx'ip-'x) = T{xn ^ r{xr^ (mod p) 

xeiZ/qZ)* 

as required. 

The cyclotomic primality test proceeds by checking the congruence of Proposition 3.1 
for suitable characters x '■ (Z/gZ)* — )• p,^. The next theorem is the key ingredient for the 
cyclotomic primality test. 
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Theorem 3.2. Let n be a natural number. Let q be a prime not dividing n, let r be a 
power of a prime number I not dividing n and let x '■ (Z/gZ)* — > fi^ be a character. If 

- for every prime p dividing n there exists Xp in the ring Zi of l-adic integers such that 

p'-i = n('-i)^^', inZ*; 

- the Gaussian sum t(x) satisfies 

t(x)'^"-" e (Cr), in the ring Z[C„ Cr]/(n), 

then we have 

x{p) = xH^" 

for every prime divisor p of n. 

Note that Xp G Zi in the first condition is well defined because both n'~^ and p''~^ are 
congruent to 1 (mod /). In addition, Xp is unique. When / is odd, the first condition is 
equivalent to the condition that the fraction {p''~^ — 1)/ — 1) is Z-integral. In the second 
condition, we denote by (Cr) the cyclic subgroup of (Z[^^]/(n))* of order r generated by Cr- 
Note that the group {(r) is not necessarily equal to the group of r-th roots of unity in the 
ring Z[Cr]/(n). 

Proof of the theorem. We may assume that x is a non-trivial character. By the second 
condition we have that 

t(x)""'" = Vr{x). for some r] G {(r) C Z[Cg, Cr]/(n). 

Note that the operator a~^n G Z[A] has the property that 77*^" " = 1. Therefore, for any 
integer L > 0, applying it {I — 1)L times leads to the relation 

^(^)K-^n)('-i)- ^ ^{l-l)L^^^^^ ^j^g j..^g 2[Cg, Cr]/(n). 

On the other hand. Proposition 3.1 implies that for any prime divisor p of n we have 
rixT" ^ = x{p)~^t{x) and hence 

= x(p)'"V(x) in the ring Z[C„ Cr]/(p). 

Let l^^ be the order of the /-part of the finite multiplicative group {Z[QXr]/ i'n))* and let 
A denote the group (Z[Cg, Cr] /("-))* modulo Z-'^-th powers. Let L be an integer between 
and for which L = Xp (mod l^). Then we have p''~^ = n^^~^^^ = (mod l^) and hence 
{a~^n)^''~^^^ — (T~^p in the ring (Z//^Z)[A]. It follows that the left hand sides of the two 
formulas above are equal in the group A. Then the same is true for the right hand sides. 
Since t(x) is invertible modulo p, this means 

_ -^{pY-^ in the group A. 
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Since Z — 1 is coprime to the order of jir and since the natural map {(^) ^ ^ is injective, 
this imphes 

in the group (C^) C (Z[Cg, Cr]/(^))*- When we multiply the formulas of the first condition 
for the various prime divisors p of n together, we see that for every positive divisor d of n 
there exists G Zi for which d''~^ — n^^"^^^'* in Zi. We have, of course, = 1. From 
the relation Xdd' = A^ + A^', we deduce that rj^'^ = x{d)~^ for every divisor d of n. In 
particular, we have rj = rj^'^ = x{''^)~^ and hence 

for every prime divisor p of n, as required. 

Algorithm. The following algorithm is based on Theorem 3.2. Suppose we want to prove 
that a natural number n is prime. First determine an integer R> that has the property 
that 

q-l\R 
q prime 

exceeds ^/n. At the end of this section we recall that there is a constant c > so that 
for every natural number n > 16 there exists an integer R < (log n)^ log logn ^-^a^t has 
this property. Taking R equal to the product of the first few small prime powers is a good 
choice. For all primes q dividing s and for each prime power r that divides q — 1 exactly, 
we make sure that gcd(n, qr) — 1 and then check the two conditions of Theorem 3.2 for 
one character of conductor q and order r. When n passes all these tests, we check for 
k = 1, . . . , R — 1 whether the smallest positive residue of n'^ modulo s divides n. If that 
never happens, then n is prime. 

Proof of correctness. We first note that when n is prime. Proposition 3.1 implies that it 

passes all tests. Conversely, suppose that p < ^Jn is a prime divisor of n. For every prime 
I dividing i?, let Ap be the Z-adic number that occurs in the first condition of Theorem 3.2. 
Let L e {0, 1, . . . , — 1} be the unique integer for which we have 

L = Xp (mod r), 

for the power r of I that exactly divides R. Theorem 3.2 implies therefore that x{p) = x(^)^ 
for the set of characters of conductor q and order r for which the conditions of Theorem 3.2 
have been checked. Since we have s = Ylq-i\RQj exponent of the group (Z/sZ)* 
divides R. Therefore our set of characters generates the group of all characters of (Z/sZ)*. 
It follows that 

p = (mod s). 

Since we have < p < y/n < s, this means that p must actually be equal to the smallest 
positive residue of modulo s for some k — 0,1, . . . , R — 1. Since we checked that neither 
of these numbers divide n, we obtain a contradiction. It follows that p cannot exist, so 
that n is necessarily prime. 
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In practice, checking the first condition of Theorem 3.2 is easy. When I ^ 2, the 
number Ap G Z; of the first condiction exists if and only if for any prime divisor p of n, 
the rational number {p^~^ — l)/{n''~^ — 1) is /-integral. Since we have = 1 (mod /), 
this is automatic when we have n'~^ ^ 1 (mod P). Given n, this usually holds true for 
various prime numbers I. Another useful criterion is the following. It can be checked 'for 
free' when one checks the second condition of Theorem 3.2. 

Proposition 3.3. Let n > 1 be an integer and let I be a prime number not dividing n. 
Then there exists for every prime divisor p of n an exponent Xp e Zi for which 

p'-i = n('-i)^*' in Z*, 

if there exists a prime q not dividing n for which the foUowing holds. 

(i) (1^2) for some power r > 1 of I and some character x '■ (Z/gZ)* — > fi^ of order r 
the number t(x)"""~"' is a generator of the cyclic subgroup (C^) of {Z[(g, C^]/ (n))*. 

(a) (1 = 2 and n = 1 (mod 4)j we iave t{xY'^~'^ = ~1 ^or tie quadratic character x 
modulo q. 

(Hi) (1 = 2 and n = 3 (mod 4)) and for some character x '■ (Z/qZ)* — > Hr of 2-power 
order r > 4, the number r(x)'^"~" is a generator of the cyclic subgroup {(r) of 
(Z[^q, ^^]/(n))*. Moreover, the Gaussian sum associated to the quadratic character 
x!'!'^ satishes r(x'^/^)'^"'~"' = -1 in the ring Z[Cg]/(n). 

Proof. Let p be a prime divisor of n and let r be a power of L As in the proof of 
Theorem 3.2, let denote the order of the /-part of the unit group {Z[(qXr]/ip))* and 
let A be the group {Z[(^qXr]/{p))* modulo l^-th powers. The latter is a module over 
the /-adic group ring Zz[A]. The multiplicative subgroup {a^m, e Z;[A] : m G Z^*} is 
naturally isomorphic to Z^*. Therefore, when / ^ 2, its subgroup G of (/ — l)-th powers 
is isomorphic to the additive group Zi. When / = 2, this is not true, but in that case 
the subgroup of squares is isomorphic to Z2. By Proposition 3.1 for any prime q and 
character x '■ (T^/q'^Y — ^ A*r of order r we have 

TixT" = Xip)~^r{x), in the group A. 
If t{xY"~'^ is a generator of the group (Cr) C {Z[Q, Crl/l'^))*) ^^en we have 

t(x)''"''' = ^t(x), in the groups. 

for some primitive r-th root of unity rj G (Cr) C (Z[Cg, Cr]/(^))*- 

Now we prove (i). Since ry is a primitive root, the operator (cr~^n)^~^ G Zi[A] cannot 
be a 'proper' /-adic power of {a~^py~^ in the sense that there cannot exist /x G /Z/ for 

which {(T-^ny-^ = {(T-^py^^-^\ Since both operators are contained in the pro-cyclic 

group G = Zi, the converse must therefore be true: we have (cr~^p)'~^ = {a~^ny'~^^^p 
and hence p''~^ = n^^~'^)^p for some Ap G Z/. 
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To prove (ii), we observe that the values of x cire either 1 or —1. Therefore we 
have t{x)^" = t{x)- Since we have t(x)^ = x{~^)'^{x)'^{x) = x{~^)Qj the condition 
t(x)'^"~" = — 1 means precisely that 

(X(-1)9)^""'^/^ = -1 (mod n). 

This shows that the 2-parts of the order of x(— (mod p) and of n — 1 are equal. This 
means that n — 1 divides p — 1 in the ring of 2-adic integers Z2. Since n = 1 (mod 4), this 
is equivalent to the statement that p = n^p for some Ap e Z2 . 

To prove (Hi), we note that for / = 2, the group G that we considered above is not 
isomorphic to Z2, but the subgroup is. Therefore the arguments of the proof of part (i) 
only show that = n'^'^p and hence p = ±n^p for some Ap G Z2. We show that we have 
the plus sign. Prom the relation p^ — n'^^p we deduce that x~^(p)^ = V'^^^ ■ Raising this 
relation to the power — r/4, we find 



Here we used the usual Legendre symbol to denote the quadratic character x^/^. Since q = 
1 (mod 4), we have x(~l) = 1- Therefore the second condition t(x^^^)'^"~"^ = —1 (mod n) 
says precisely that we have = — 1 (mod n). Since (n — l)/2 is odd, it follows that 



(n-l)/2\ /_i 



PJ \ P J \ P 

Since x has order at least 4, we have Q = 1 (mod 4) and hence, by quadratic reciprocity, 
— (p)' '^^^ formulas above imply that {^~^^ = (—1)^''. This means precisely 
that p = n^p (mod 4), so that we must have the plus sign, as required. 

If the number n that is being tested for primality is actually prime, then in each 
instance the conditions of Proposition 3.3 are satisfied for a prime q that has the property 
that n is not an Z-th power modulo q. Given n, one encounters in practice for every prime 
I very quickly such a prime q, so that the first condition of Theorem 3.2 can be verified. In 
the unlikely event that for some prime I none of the primes q has this property, one simply 
tests the second condition of Theorem 3.2 for some more primes q = 1 (mod I). 

Testing the second condition of Theorem 3.2 is a straightforward computation in the 
finite ring Z[(q, Cr]/(^)- practice it is important to reduce this to a computation in the 
much smaller subring Z[(^]/{n). This is done by using Jacobi sums. 

Definition. Let q be a prime and let x, x' '■ (Z/gZ)* — > fir be two characters. Then we 
define the Jacobi sum j{x,x') by 

j{x, x') = - ^(^)x'(i - x)- 

xeZ/qZ 

Here we extend x ^nd x' toZ/qZ by putting x(0) = x'(0) = 0- 
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The Jacobi sum is an algebraic integer, contained in the cyclotomic field Q(Cr)- If the 
characters X)X' • (Z/gZ)* — )• /ir satisfy xx' 7^ 1; we have 

•^^^'^^ rixx') ■ 
In particular, if i > is prime to r and less than the order of x, we have 

The subgroup of the /-power order roots of unity in Q is a Z [A] -module. Let / C Z[A] 
be its annihilator. This ideal is generated by the elements of the form di — i with i £ Z 
coprime to I. Since we have t{xY^~^ ^ A*r for all J ^ (mod g), we have 

1 = r{x)^P^~'^^'' = r{xY^'''~'^\ for every xel. 

This shows that t(x)^ and hence that r(x)^ is contained in Q(Cr) for every x G Z[A]. 
This applies in particular to the element x — — n & I . It turns out that it is possible 
to check the condition of Theorem 3.2 that t{xY'^~^ is contained in (C^), without ever 
writing down the Gaussian sum t(x) £ Z[^^,Cg], but by doing only computations with 
Jacobi sums in the ring Z[Cr]/(?i). 

When / is odd, the ideal / generates a principal ideal in the /-adic group ring ZJA]. 
It is generated by any element of the form ai — i for which ^ 1 (mod /^). We have 
2'-i ^ 1 (mod Z^) for aU primes Z < 3 • 10^ except when I = 1093 or 3511. Therefore we 
can in practice always use i = 2. In this case the relevant Jacobi sum is given by 

= ^^Z7^ = j(x,x) = - E X{x{l-x)). 

^X > xGZ/qZ 

A computation [7, section 9.1.5] shows that we have cr^ — n = a{a2 — 2) where a e Z/[A] 
is given by 

'"ni 
r 



a= E 



l<i<r 
god(i,T-) = l 



times a unit in Z; [A] . Here [t] denotes the integral part of t G R. It follows that in order 
to verify that t(x)°^"~"' is contained in the group (Cr) and to see whether it has order r, it 
suffices to evaluate the product 

n i(x,x)[->'\ 

l<i<r 
gcd(i ,T-) = 1 

in the ring 7i[C,j]/{n) and check that it is contained in the group {C,r) and see whether it 
has order r. Since the elements in the ring Z/[A] map the subgroup (Cr) C (Z[C^]/(n))* to 
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itself, the fact that we only know the element a. up to multiplication by a unit in Z/[A] is 
of no importance. 

When / = 2, the Z;[A]-ideal generated by / is not principal. It is generated by the 
elements us — 3 and cj-i + 1. Suppose that the character x : (Z/gZ)* — > Hr has 2-power 
order r > 8. 

When n = 1 or 3 (mod 8), the element a-n — n is contained in the Z; [A] -ideal generated 
by C3 — 3 and wc may proceed as above, replacing the Jacobi sum by the a product 
of two Jacobi sums: t(x)'^3~"^ = X^). We have — n = a{as — 3) where 

a G Z;[A] is given by ct = YlieE [^] times a unit in Z/[A]. Here E denotes the set 
{zeZ:l<z<r and z = 1, 3 (mod 8)}. Up to a Z/[ A] -automorphism we have 

rixY--'^ = n (i(x,x)i(x,x'))''^^'^" , 

and this expression involves only elements in the ring Z[^j.]/(n). 

When n = 5, 7 (mod 8), we have (7„ — n = — (cr_„ -|- n) -|- (cr_„ -|- (7„). Now the 
element a-n+n is contained in the ideal generated by as — 3, while we have r(x)'^-""'"'^" = 
'''(x"^)'''(x~'^) = Q'X(~1)- III this way one can express t{x)'^"'~^ in a similar way in terms 
of elements of the subring Z[Cj.]/(?i). See [7, section 9.1.5] for the formulas 

When the order r of the character is 2 or 4, it is easier to proceed directly. When 
r = 2, we have t(x)'^"~" = (x("~l)?)*~'^~^^^^ ^^nd one should check that this is equal to ±1 
in the ring Z/(n). Finally let r = 4. We have t(x)"~'^" = (j(X: x)^x(-l)?) ^^^^ when 

n = 1 (mod 4), while t(x)''"'^" = j(x,x) (i(x, x)^x(-l)g) ^""^^^^ when n = 3 (mod 4). 
In either case, in order to verify 

the second condition of Theorem 2.3, one should check that this number is a power of 
i in the ring Z[i]/{n). 

Running time analysis. All computations take place in finite rings of the form Z[Cr]/(?i), 
where r divides R. The various summations range over the congruence classes modulo r 
or q. Both q and r are less than R. The number of pairs (g, r) involved in the computations 
is also at most 0{R). It follows that the number of elementary operations needed to 
perform the calculations is proportional to R times a power of log n. Therefore it is 
important that R is small. On the other hand, the size of the s should be at least ^/n. 

By a result in analytic number theory [8, Thm. 4.3.5] there is a constant c > so that 
for every natural number n > 16 there exists an integer R < (log ny for which 

s = rig-iifl? exceeds ^/n. It follows that the algorithm is almost polynomial time. It runs 
in time 0((log n)'^' i°sn) foj. g^j^e constant c' > 0. 

For instance, for n approximately 880 decimal digits, a good choice is i? = 2^* ■ 3^ • 
5 ■ 7 ■ 11 ■ 13 ■ 17 ■ 19, because then we have s > 10'^'^^. H.W. Lenstra proposed a slight 
modification of the cyclotomic test, that allows one to efficiently test integers satisfying 
n < rather than n < s^, for primality. See [13, Remark 8.7] and [14] for this important 
practical improvement. 
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4. The elliptic curve primality test. 

The eUiptic curve primahty test, proposed by A.O.L. Atkin in 1988, is one of the most 
powerful primahty tests that is used in practice [19]. In order to explain its principle, we 
first consider a multiplicative group version of the test. 

Theorem 4.1. Let n > 1 be a natural number and suppose that there is an element 
a e Z/nZ and an exponent s > satisfying 

a' = 1; 

d^/i — 1 g (Z/nZ)*, for every prime divisor q of s. 

Then any prime dividing n is congruent to 1 (mod s). In particular, if s > ^Jn, then n is 
prime. 

Proof. Let p be a prime divisor of n. Then the image of a in Z/pZ is a unit of order s. 
Indeed, a* = 1 (mod p) while o*/^ ^ 1 (mod p) for every prime divisor q of s. Therefore 
s divides the order of (Z/pZ)*. In other words, p = 1 (mod s), as required. Since a 
composite n has a prime divisor p < n, the second statement of the theorem is also clear. 
Therefore the theorem follows. 

In applications, s is a divisor of n — 1 and the element a G Z/nZ is the (n — l)/s-th 
power of a randomly selected element. In order to test the condition that a^^'^—l G (Z/nZ)* 
for every prime divisor q of s, one evaluates the powers b — a^/"^ in the ring Z/nZ and then 
checks that gcd(n, b — 1) = 1. In order to do this, one needs to know all prime divisors q 
of s. On the other hand, s needs to be large!. Indeed, in order to conclude that n is prime, 
one needs that s > ^/n. In practice, s a completely factored divisor of n — 1. If n is large, 
computing such a divisor of n — 1 is usually very time consuming. Therefore, only rarely 
a large number n is proved prime by a direct application of this theorem. 

Occasionally however, it may happen that one can compute a divisor r > 1 of n — 1 
that has the property that s = (n — l)/r is probably prime. In practice, r is the product 
of the small prime divisors of n — 1 that one is able to find in a reasonable short time. 
Therefore r is rather small. Its cofactor s is much larger. If, by a stroke of luck, the 
number s happens to pass some probabilistic primality test and one is confident that s 
is prime, then Theorem 4.1 reduces the problem of proving the primality of n to proving 
the primality of s, which is at most half the size of n and usually quite a bit smaller. 
Indeed, pick a random x G Z/nZ and compute a = . With very high probability we 
have = 1 (mod n) and a — 1 G (Z/nZ)*. Since s > y^. Theorem 4.1 implies that n is 
prime provided that the smaller number s is prime. However, the chance that n — 1 factors 
this way is on the average 0(j^^). Therefore any attempt to proceed in some kind of 
inductive way, has only a very slight chance of succeeding. 

Elliptic curves provide a way out of this situation. The main point is that for prime n 
there are many elliptic curves E over Z / nZ and the orders of the groups E{Z/ nZ) are rather 
uniformly distributed in the interval (n + 1 — 2y/n, n + 1 + 2y/n). In 1986, S. Goldwasser 
and J. Kilian [9] proposed a primality test based on the principle of Theorem 4.1 and on a 
deterministic polynomial time algorithm to determine the number of points on an elliptic 
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curve over a finite field [21] . The running time of their probabihstic algorithm is polynomial 
time if one assumes a certain unproved assumption on the distribution of prime numbers in 
short intervals. Some years later, L. Adleman and M.-D. Huang eliminated the assumption, 
by proposing a probabilistic test [2] involving abelian varieties of dimension 2. Both tests 
are of theoretical rather than practical value. By now, even from a theoretical point of view 
they have been superseded by the much simpler polynomial time deterministic algorithm 
explained in section 2. 

The key result is the following elliptic analogue of Theorem 4.1. 

Theorem 4.2. Let n > 1 be a natural number and let E be an elliptic curve over Zi/nZ. 
Suppose that there is a point P e E{7i/n7i) and an integer s > for which 



Then every prime p dividing n satisB.es ^E{Z/pZ) = (mod s). In particular, if s > 



Proof. Let p be a prime divisor of n. Then the image of the point P in E{Z/pZ) has 
order s. This implies that #£?(Z/pZ) = (mod s). By Hasse's Theorem, we have that 
#E(Z/pZ) < (^+1)2. Therefore, if s > (^+ 1)^, we have that 



and hence p > ^/n. If n were composite, it would have a prime divisor p < i/n. We 
conclude that n is prime as required. 

The algorithm reduces the problem of proving the primality of n, to the problem of 
proving that a smaller number is prime as follows. Given a probable prime number n, 
one randomly selects elliptic curves E over Z/nZ and determines the order of the group 
E{Z/nZ) until one finds a curve for which ^E{Z/nZ) is of the form r • s, where s is a 
probable prime number satisfying s > (v^+ 1)^- In order to apply Theorem 4.2, one 
selects a random point Q G E{Z/nZ) and computes P — rQ. One checks that sP — 
in E{Z/nZ) and that P in E{Z/pZ) for every prime dividing n. If one works with 
projective coordinates satisfying a Weierstrass equation, then the latter simply means that 
the gcd of n and the 2;-coordinate of P is equal to 1. Theorem 4.2 implies then that n is 
prime if s is prime. 

In practice, one computes ^E{Z/nZ) under the assumption that n is prime. Then 
one attempts to factor the order of the group E{Z/nZ) by means of a simple trial divison 
algorithm or another method that finds small prime factors quicker than larger ones, like 
Lenstra's Elliptic Curve Method [15]. Let r be the product of these small prime factors. 
When ^E{Z/nZ) factors as a product r ■ s with s a probable prime, it is in practice not 
a problem to verify the conditions of Theorem 4.2 for some randomly selected a point P. 
That's because n is probably prime. But we do not need to know this in order to apply 
Theorem 4.2. 



sP = 0, in E{Z/nZy, 

-P 0, in E(Z/pZ) for any prime divisor p of n. 




(VP+1)' > #^(Z/PZ) > s > i^+lf 
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Just as in the multiplicative case discussed above, this computation usually does not 
work out when n is large. Typically one only succeeds in computing a small completely 
factored factor r of ^E{Z/nZ) whose cofactor s is not prime, but cannot be factored 
easily. In that case one discards the curve E, randomly selects another one and tries 
again. Since the curves E are rather uniformly distributed with respect to the number of 
points in #£'(Z/nZ), the number of attempts one needs to make before one encounters 
a prime cofactor s, is expected to be 0(log n). In the unlikely event that one is able to 
factor j^E{Z/nZ) completely or that one has s < (v^+ 1)^, one is also satisfied. If this 
happens, one can switch the roles of r and s and almost certainly apply Theorem 4.2. 

Atkin turns the test of Goldwasser and Kilian into a practical test by selecting the 
elliptic curves E in the algorithm above more carefully [5] . Atkin considers suitable elliptic 
curves over the complex numbers with complex multiplication (CM) by imaginary quadratic 
orders of relatively small discriminant. He reduces the curves modulo n and uses only 
these in his primality proof. The main point is that it is not only theoretically, but also in 
practice very easy to count the number of points on these elliptic curves modulo n. The 
resulting test is in practice very efficient, but its running time is very difficult to analyze 
rigorously, even assuming various conjectures on the distributions of smooth numbers and 
prime numbers. We merely outline the algorithm. 

Given n, Atkin first searches for imaginary quadratic integers (p, for which the following 
two conditions hold. 

N{cp) = n, 
N((p - 1) = r • s. 

where we have r > 1 and where s satisfies s > (-y^+l)^ and is probably prime, in the sense 
that it passes a probabilistic primality test. Here N{a) denote the norm of an imaginary 
quadratic number a. 

The theory of complex multiplication guarantees the existence of an elliptic curve 
E over C with endomorphism ring isomorphic to the ring of integers of the imaginary 
quadratic field Q(<^). Moreover, if n is prime, the characteristic polynomial of the Frobe- 
nius endomorphism of the reduced curve E (mod n) is equal to the minimum polynomial 
of (f. The number of points in E{Z/nZ) is equal to N{(f — 1) = r ■ s. Therefore one may 
apply Theorem 4.2 to some randomly selected point and conclude that n is prime when s 
is. We first explain how to compute suitable imaginary quadratic integers ip and then how 
to compute the corresponding elliptic curves. 

If n is prime, an imaginary quadratic field F contains an element p with N{(f) = n 
if and only if n factors as a product of two principal prime ideals in the ring of integers 
Op of F = Q(v')- The probability that this happens is l/2h where h is the class number 
of 0_p. Therefore in practice one first considers all imaginary quadratic fields with class 
number h = 1, then the ones with class number h = 2, . . ., etc. First one checks whether 
or not n splits in F. If n is prime, this happens if and only if the discriminant is a 
square modulo n. If n splits, one sees whether it is a product of two prime principal ideals. 
To do this one computes a square root z of Ap modulo n. Then the ideal / generated by 
n and z — y/Ap is a prime divisor of n. To check that it is principal, one emplys a lattice 
reduction algorithm and computes a shortest vector in the rank 2 lattice generated by n 
and z — y/Ap in C. If the shortest vector has norm n, then we take it as our integer (p 
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and we know that / = {(p) is principal. If the norm of the shortest vector is not equal 
to ?i, then the ideal / is not principal and there does not exist an algebraic integer if E F 
with N{ip) = n. In this case we cannot make use of the elliptic curves that have complex 
multiplication by the ring of integers of F. 

In practice one first computes a 'chain' of probable prime numbers n = N{(f) with 
N{(f — 1) = r • s as above, with the property that the primality of one number in the chain, 
implies the primality of the next one. The verifications of the condition of Theorem 4.2 for 
the associated elliptic curves E are not expected to pose any problems and are performed 
after a suitable chain has been found. Computing the chain is a rather unpredictable 
enterprise, since it depends on how lucky one is with the attempts to factor the order of 
the groups E{Z/nZ). It may involve some backtracking in a tree of probable primes. We 
leave this to the imagination of the reader. 

We explain how to compute the elliptic curves E over Z/nZ from the quadratic in- 
tegers (p. The j-invariants of elliptic curves over C that admit complex multiplication by 
the ring of integers of F = Q(v') are algebraic integers contained in the Hilbert class field 
of F. The j-invariant of one such curve is given by 

(l + 240Er=i^3(%'^)' 

^^^^ QUZii^-Q'r ' 

where we have q = e^'^*'^ and where r e C has positive imaginary part and has the 
property that the ring Z + Zr is isomorphic to the ring of integers of Q(<^). The function 
(73 is given by as{m) = X]d|m '^^^ conjugates of j(r) conjugates are given by for 
suitable integers a, b. One computes approximates to these numbers and then computes 
the coefficients of the minimum polynomial of j (t). This polynomial is contained in Z[X] 
and has huge coefficients. Therefore one rather works with modular functions that are 
contained in extensions of moderate degree d (usually d = 12 or 24) of the function 
field C{j). The coefficients of these modular functions are much smaller. Typically their 
logarithms are d times smaller [5] . 

If n is prime, it splits by construction completely in the Hilbert class field H. We 
compute a root of the minimal polyniomial of j(r) in Z/nZ and call it j. Prom this we 
compute a Weierstrass equation of an elliptic curve E over Z/nZ with j-invariant equal 
to j. We perform all necessary computations as if n were prime. Since n probably is 
prime, they will be successful. If n is prime, then we have ^E{Z/nZ) = N{(^p — 1) 
for some root of unity C ^ Qif)- H C 7^ 1; 'twist' the curve E so that we have 
#£'(Z/nZ) — N{(f — 1) — r • s. Usually, we have ( G {±1}. The exceptions are the fields 
F = Q{i) and F = Q(-\/^), in which case there are 4 and 6 roots of unity respectively. 
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